Kelihos is Dead… No wait… Long Live Kelihos! Again!

This post is inspired by a news article which highlighted a recent
presentation at RSA. Kelihos, for those that don't know, is a spamming botnet.
For the last few years it has been around in some form or another, but its
spam output has not been nearly as large as some of the other botnets we
regularly talk about, like Cutwail or Lethic.

Anyway, the article is entitled Latest
Kelihos Botnet Shut Down Live at RSA Conference 2013. Wow! Cool! A Live Takedown! "But then again", I thought, "that would the
third time this particular botnet has supposedly been taken down". So I went over to check our spam traps for
evidence of the effect.

And here is what was found, huge amounts of stock 'pump
& dump' spam:

Ironically, in spite
of this spectacular takedown (or perhaps because of it?), spam output from
Kelihos has jumped upwards to spectacular levels. Below is a chart showing the Kelihos
spam levels in a daily spam sample over the past three months. Clearly someone
has got a whole bunch more bots from somewhere! You can see however a slight
dip around 26 February – shown by the arrow – on the day of the live takedown
presentation.

So this increase is significant indeed. Today spam from
Kelihos bots is making up over 50% of the total spam arriving at our spam traps.
That's a big deal. Just to make sure we weren't confusing it with something
else, we ran some recent Kelihos malware samples in our lab. Sure enough,
classic Kelihos pump & dump as evidenced by this template we extracted from
the set of instructions the bot received prior to spamming:

The template matches exactly what we see in our spam traps.
We won't go into too much more here, others have recently provided some
excellent insight into Kelihos; Lavasoft in particular has a very detailed
analysis here.

In the past, there have been numerous much-publicized attempts to takedown
Kelihos, and its predecessors, Storm and Waledac. For some reason, it always
gets a lot of attention by researchers, probably because its peer-to-peer
nature is both interesting, and lends itself to such interference.

But, despite such efforts, Kelihos and its code persists. Each time it merely morphs into something else. It goes
to show that botnet takedowns may be flashy, but unless you arrest the people
running it, or otherwise hamstring them somehow, the chances of a long term
effect are minimal. And even if you do arrest people, code persists, and can be
reused by someone else. These days, it's
also easy for botnet operators to build their bot numbers again through the use
of third-party loaders, or pay-per-install programs, where the criminals simply
pay someone else to load their malware onto a bunch of already compromised
machines. Symantec recently blogged about this sort of relationship: Waledac
Gets Cozy with Virut. In fact, we have been observing Virut loading spambots
for years, here is an M86 Security blog from 2009: Virut's
Not So Obvious Motive.

So taking down botnets is not simple or easy. It's not to say
I don't applaud such efforts. On the contrary, hamper them any way you can, I reckon.
Just don't always expect long lasting results.

Thanks to my SpiderLabs colleague Rodel Mendrez for his
research and input into this blog.